The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent the work is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure.
Domain Name System (DNS) is a protocol and service used on the Internet. DNS is commonly used to map domain names to Internet Protocol (IP) addresses. When users enter a domain name (e.g., example.com) in a web browser, DNS is used to perform a forward lookup to find one or more IP addresses for that domain name.
DNS is a hierarchical system. Each level in the hierarchy can be provided by another server with different ownership. For the Internet, there are 13 root DNS servers labeled A thru M. These root DNS servers are implemented by many more than 13 physical servers. The hierarchical nature of DNS can be explained using an example. Consider an example request for an IP address of a domain named my.test.example.com. A new request will first go to the root DNS servers to find which DNS server controls the .com top level domain. The .com DNS server will provide the DNS server that controls example.com domain. Next, the example.com DNS server will provide the DNS server that controls the test.example.com domain. Finally, the test.example.com DNS server will provide the IP address for my.test.example.com.
With the hierarchical system, a given domain owner can define authoritative servers for its domain. That is, the user is in control of the ultimate destination host for DNS queries for its domain. In a typical enterprise, endpoints do not make DNS requests directly to the Internet. Internal DNS servers provide DNS services to an endpoint. However, since DNS will forward requests until the authoritative name server is contacted, an attacker with access on an internal endpoint can leverage the DNS infrastructure of the enterprise for DNS tunneling to a domain that the attacker controls.
DNS tunneling is a method of embedding data in DNS queries and responses between a compromised client and a malicious DNS server, which allows for data exfiltration and botnet command and control (explained below). With DNS tunneling, another protocol can be tunneled through DNS. A DNS tunnel can be used for command and control, data exfiltration, and/or tunneling of any IP traffic. DNS tunnels allow circumventing access and security policies in firewalled networks. Such a security breach can be misused for activities like free web browsing, command and control traffic, and/or cyber espionage.
DNS tunneling is possible because DNS requests are generally not filtered at the firewall, effectively opening a security breach. The fact that information bypasses a first line of network security mechanism makes DNS tunneling very attractive in contexts other than free web browsing. Some examples include command and control and data exfiltration in cyber-espionage attacks, where an attacker needs an available but inconspicuous communication channel, which DNS provides.
DNS tunneling works by encapsulating data into DNS packets. Typically, a tunnel client (i.e., a compromised client) encapsulates data to be sent in a query for a specific domain name. A DNS resolver treats the tunnel traffic as a regular request by starting a lookup process for the requested domain name, possibly recursively consulting other DNS resolvers. At the end of this operation, the request is processed by a tunnel server (i.e., a malicious DNS server). The tunnel server retrieves the encapsulated data and responds to DNS queries by enclosing tunnel data (i.e., malicious IP addresses and/or data) in the answer section of the DNS response message.
The DNS protocol is also used in botnet communications between bot-infected computers and command and control (C&C) servers. A “bot” is a type of malware that allows an attacker to take control over an affected computer. A botnet (the term “botnet” is formed from the words “robot” and “network”) is a network of computers, infected with malicious software (malware) and controlled by cybercriminals without the knowledge of the owners of the computers, set up to forward transmissions (including spam or viruses) to other computers on the Internet. Since DNS protocol is used for most Internet services, it is difficult to simply block DNS traffic based on the possibility of usage of DNS protocol in botnet communications, which is why attackers use DNS protocol in botnet communications.